K
Q

What prerequisites do I need for Kubernetes to mount an EBS volume?

7/4/2018

The documentation doesn’t go into detail. I imagine I would at least need an iam role.

-- mdornfe1
amazon-ebs
kubernetes

Similar Questions

kubernetes architecture for microservices application - suggestions
Which HOST+PORT to use for NodeJS app on OpenShift?
Elasticsearch unknown setting [xpack.license.self_generated.type]
Running an Elixir program in a Kubernetes swarm
AWS EKS Kubernetes and DockerHub
Docker multi-stage builds stuck between layers when using Docker-in-Docker with Jenkins and Kubernetes
Rabbitmq pod stuck in pending state

2 Answers

7/4/2018

This is the one used by kubespray, and is very likely indicative of a rational default:

https://github.com/kubernetes-incubator/kubespray/blob/v2.5.0/contrib/aws_iam/kubernetes-minion-policy.json

with the tl;dr of that link being to create an Allow for the following actions:

  • s3:*
  • ec2:Describe*
  • ec2:AttachVolume
  • ec2:DetachVolume
  • route53:*

(although I would bet that s3:* is too wide, I don't have the information handy to provide a more constrained version; similar observation on the route53:*)

All of the Resource keys for those are * except the s3: one which restricts the resource to buckets beginning with kubernetes-* -- unknown if that's just an example, or there is something special in the kubernetes prefixed buckets. Obviously you might have a better list of items to populate the Resource keys to genuinely restrict attachable volumes (just be careful with dynamically provisioned volumes, as would be created by PersistentVolume resources)

-- mdaniel
Source: StackOverflow
7/4/2018

This is what we have done and it worked well.

I was on kubernetes 1.7.2 and trying to provision storage (dynamic/static) for kubernetes pods on AWS. Some of the things mentioned below may not be needed if you are not looking for dynamic storage classes.

Made sure that the DefaultStorageClass admission controller is enabled on the API server. (DefaultStorageClass is among the comma-delimited, ordered list of values for the --enable-admission-plugins flag of the API server component.)

I have given options --cloud-provider=aws and --cloud-config=/etc/aws/aws.config (while starting apiserver, controller-manager, kubelet) (the file /etc/aws/aws.conf is present on instance with below contents)

$ cat /etc/aws/aws.conf
[Global]
Zone = us-west-2a

Created IAM policy added to role (as in link below), created instance profile for it and attached to the instances. (NOTE: I missed attaching instance profile and it did not work). https://medium.com/@samnco/using-aws-elbs-with-the-canonical-distribution-of-kubernetes-9b4d198e2101

For dynamic provisioning: Created storage class and made it default.

Let me know it this did not work.

Regards Sudhakar

-- Sudhakar MNSR
Source: StackOverflow